smartcontractkit · tt-cll · Oct 27, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/.github/workflows/codegen.yml b/.github/workflows/codegen.yml
@@ -25,20 +25,19 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
       - name: Display Go version
         run: go version
+      - name: Tidy
+        run: make gomodtidy
       - name: Install protoc
         run: make install-protoc
       - name: Re-Generate files
-        run: |
-          make generate
-      - name: Tidy
-        run: go mod tidy
+        run: make generate
       - name: ensure no changes
         run: |
           set -e
           git_status=$(git status --porcelain=v1)
           if [ ! -z "$git_status" ]; then
             git status
             git diff
-            echo "Error: modified files detected, run 'make generate' / 'go mod tidy'."
+            echo "Error: modified files detected, run 'make gomodtidy' / 'make generate' / ."
             exit 1
           fi
diff --git a/.github/workflows/idl-compatibility-check.yml b/.github/workflows/idl-compatibility-check.yml
@@ -0,0 +1,99 @@
+name: IDL Compatibility Check
+
+on:
+  pull_request:
+    paths:
+      - "chains/solana/contracts/target/idl/base_token_pool.json"
+      - "chains/solana/contracts/target/idl/burnmint_token_pool.json"
+      - "chains/solana/contracts/target/idl/lockrelease_token_pool.json"
+      - "chains/solana/contracts/target/idl/ccip_common.json"
+      - "chains/solana/contracts/target/idl/ccip_offramp.json"
+      - "chains/solana/contracts/target/idl/ccip_router.json"
+      - "chains/solana/contracts/target/idl/cctp_token_pool.json"
+      - "chains/solana/contracts/target/idl/fee_quoter.json"
+      - "chains/solana/contracts/target/idl/rmn_remote.json"
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+
+jobs:
+  check-idl-changes:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Check for bypass label
+        id: check-bypass
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number
+            });
+
+            if (labels.some(label => label.name === 'idl-check-confirmed')) {
+              console.log('IDL check bypass label found');
+              return true;
+            }
+
+            return false;
+
+      - name: List changed IDL files
+        id: changed-files
+        run: |
+          # Only check specific files to reduce noise
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }} HEAD -- \
+            chains/solana/contracts/target/idl/base_token_pool.json \
+            chains/solana/contracts/target/idl/ccip_common.json \
+            chains/solana/contracts/target/idl/ccip_offramp.json \
+            chains/solana/contracts/target/idl/ccip_router.json \
+            chains/solana/contracts/target/idl/cctp_token_pool.json \
+            chains/solana/contracts/target/idl/fee_quoter.json \
+            chains/solana/contracts/target/idl/rmn_remote.json | tr '\n' ' ')
+          echo "files=$CHANGED_FILES" >> $GITHUB_OUTPUT
+          echo "Changed files:"
+          echo "$CHANGED_FILES"
+
+      - name: Comment on PR
+        if: steps.check-bypass.outputs.result != 'true'
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const changedFiles = `${{ steps.changed-files.outputs.files }}`.trim().split(' ').filter(Boolean);
+
+            if (changedFiles.length === 0) {
+              console.log('No monitored IDL files changed');
+              return;
+            }
+
+            const filesList = changedFiles.map(file => `- \`${file}\``).join('\n');
+            const commentBody = [
+              '## ⚠️ IDL Compatibility Check Required ⚠️',
+              '',
+              '### Changes detected in IDL files:',
+              filesList,
+              '',
+              '⚠️ **IMPORTANT**: Please verify that these changes maintain compatibility with our observability pipeline!',
+              '',
+              '#### To bypass this check:',
+              '- Add the `idl-check-confirmed` label to this PR'
+            ].join('\n');
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: commentBody
+            });
+
+      - name: Fail if no bypass
+        if: steps.check-bypass.outputs.result != 'true' && steps.changed-files.outputs.files != ''
+        run: |
+          echo "::error::IDL changes detected - Please confirm compatibility with observability pipeline"
+          exit 1
diff --git a/.github/workflows/solidity-build-and-publish.yml b/.github/workflows/solidity-build-and-publish.yml
@@ -8,6 +8,8 @@
   run:
     shell: bash
 
+permissions: {}
+
 jobs:
   changes:
     name: Detect changes
@@ -130,6 +132,8 @@
     name: Publish Beta NPM
     environment: publish-contracts
     needs: [tag-check, changes, lint, native-compile]
+    permissions:
+      id-token: write  # Required for OIDC
     if: needs.tag-check.outputs.is-pre-release-ccip == 'true'
     runs-on: ubuntu-latest
     steps:
@@ -153,6 +157,11 @@
         working-directory: chains/evm
         run: make wrappers
 
+      - name: Extract bytecode and abi from gobindings
+        run: |
+          cd chains/evm
+          make extract-bytecode-abi
+
       - name: Version package.json
         working-directory: chains/evm
         shell: bash
@@ -171,9 +180,8 @@
           pnpm version "${version}" --no-git-tag-version --no-commit-hooks --no-git-checks
 
       - name: Publish to NPM (beta)
-        uses: smartcontractkit/.github/actions/ci-publish-npm@4b0ab756abcb1760cb82e1e87b94ff431905bffc # ci-publish-npm@0.4.0
+        uses: smartcontractkit/.github/actions/ci-publish-npm@ci-publish-npm/v1
         with:
-          npm-token: ${{ secrets.NPM_CHAINLINK_CCIP }}
           create-github-release: false
           publish-command: "pnpm publish-beta --no-git-checks"
           package-json-directory: chains/evm
@@ -182,10 +190,11 @@
     name: Publish Prod NPM
     environment: publish-contracts
     needs: [tag-check, changes, lint, native-compile]
-    if: needs.tag-check.outputs.is-release-ccip == 'true'
-    runs-on: ubuntu-latest
     permissions:
+      id-token: write  # Required for OIDC
       contents: write
+    if: needs.tag-check.outputs.is-release-ccip == 'true'
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout the repo
         uses: actions/checkout@v4
@@ -206,6 +215,11 @@
       - name: Run native compile and generate wrappers
         working-directory: chains/evm
         run: make wrappers
+
+      - name: Extract bytecode and abi from gobindings
+        run: |
+          cd chains/evm
+          make extract-bytecode-abi
 
       - name: Validate version
         working-directory: chains/evm
@@ -228,9 +242,8 @@
           fi
 
       - name: Publish to NPM (latest)
-        uses: smartcontractkit/.github/actions/ci-publish-npm@4b0ab756abcb1760cb82e1e87b94ff431905bffc # ci-publish-npm@0.4.0
+        uses: smartcontractkit/.github/actions/ci-publish-npm@ci-publish-npm/v1
         with:
-          npm-token: ${{ secrets.NPM_CHAINLINK_CCIP }}
-          create-github-release: false
+          create-github-release: true
           publish-command: "pnpm publish-prod --no-git-checks"
           package-json-directory: chains/evm
diff --git a/.github/workflows/test-deployments.yml b/.github/workflows/test-deployments.yml
@@ -0,0 +1,104 @@
+name: "Test Deployments"
+permissions:
+  contents: read
+
+on:
+  pull_request:
+  merge_group:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  detect_deployments_changes:
+    runs-on: ubuntu-latest
+    outputs:
+      run_solana_deployment: ${{ steps.filter.outputs.run_solana_deployment }}
+      run_evm_deployment: ${{ steps.filter.outputs.run_evm_deployment }}
+      run_deployment: ${{ steps.filter.outputs.run_deployment }}
+      run_crosschain_deployment: ${{ steps.filter.outputs.run_crosschain_deployment }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Detect changes
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          list-files: "shell"
+          filters: |
+            run_deployment:
+              - 'deployment/**'
+            run_evm_deployment:
+              - 'chains/evm/gobindings/generated/**'
+              - 'chains/evm/deployment/**'
+            run_solana_deployment:
+              - 'chains/solana/gobindings/generated/**'
+              - 'chains/solana/deployment/**'
+            run_crosschain_deployment:
+              - 'integration-tests/deployment/**'
+
+  setup-go:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Determine Go version
+        id: go_version
+        run: echo "GO_VERSION=$(cat go.mod |grep "^go"|cut -d' ' -f 2)" >> $GITHUB_ENV
+      - name: Setup Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: Display Go version
+        run: go version
+
+  test-evm-deployments:
+    needs: [detect_deployments_changes, setup-go]
+    if: ${{ needs.detect_deployments_changes.outputs.run_evm_deployment == 'true' }}
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: chains/evm/deployment
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run tests
+        run: go test ./...
+
+  test-solana-deployments:
+    needs: [detect_deployments_changes, setup-go]
+    if: ${{ needs.detect_deployments_changes.outputs.run_solana_deployment == 'true' }}
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: chains/solana/deployment
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run tests
+        run: go test ./...
+
+  test-deployments:
+    needs: [detect_deployments_changes, setup-go]
+    if: ${{ needs.detect_deployments_changes.outputs.run_deployment == 'true' }}
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: deployment
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run tests
+        run: go test ./...
+
+  test-deployments-crosschain:
+    needs: [detect_deployments_changes, setup-go]
+    if: |-
+      ${{
+        needs.detect_deployments_changes.outputs.run_crosschain_deployment == 'true' ||
+        needs.detect_deployments_changes.outputs.run_evm_deployment == 'true' ||
+        needs.detect_deployments_changes.outputs.run_solana_deployment == 'true'
+      }}
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: integration-tests/deployment
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run tests
+        run: go test ./...
diff --git a/.github/workflows/test-evm-deployments.yml b/.github/workflows/test-evm-deployments.yml
diff --git a/.gitignore b/.gitignore
@@ -30,3 +30,33 @@ vendor/
 
 # Ignore personal settings
 **/.claude/settings.local.json
+
+# Tooling caches
+*.tsbuildinfo
+.eslintcache
+
+# Log files
+*.log
+
+# misc
+.DS_Store
+.envrc
+.env*
+.dbenv
+.direnv
+.idea
+.vscode/
+*.iml
+debug.env
+operator_ui/install
+.devenv
+
+# neovim
+.nvim.lua
+
+# codeship
+*.aes
+dockercfg
+env
+credentials.env
+gcr_creds.env
diff --git a/.tool-versions b/.tool-versions
@@ -1,2 +1,2 @@
-nodejs 20.13.1
+nodejs 20.17.0
 pnpm 10.6.5
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -9,3 +9,7 @@
 /chains/solana @smartcontractkit/ccip-onchain-solana
 .github/workflows/solana.yml @smartcontractkit/ccip-onchain-solana
 
+# Deployment tooling
+/deployment @smartcontractkit/ccip-tooling
+/chains/evm/deployment @smartcontractkit/ccip-tooling @smartcontractkit/ccip-onchain
+/chains/solana/deployment @smartcontractkit/ccip-tooling @smartcontractkit/ccip-onchain-solana